Skip to main content.
home | support | download

Back to List Archive

pdftohtml security issue

From: Bill Moseley <moseley(at)not-real.hank.org>
Date: Wed Feb 01 2006 - 17:25:47 GMT
I see that there's a security warning out on pdftohtml (which is
based on the xpdf package that swish-e uses for indexing pdf files).

Might want to update your xpdf packages if this applies to
you.  (I think xpdf was updated in August last year to fix the
overflows.)

I do not doubt that swish-e has some chance of buffer overflows in
parts of the code.  None that I know of, but it's possible.

Never run indexing or searching as root.  If indexing untrusted
sources you would likely want to run swish under a uid that can't do
damage.  Normal security stuff, you know.  Keep a look out.  There's
evil all around.  Take care who you talk to.  Especially on the phone.



    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 962-1                     security@debian.org
    http://www.debian.org/security/                             Martin Schulze
    February 1st, 2006                      http://www.debian.org/security/faq
    - --------------------------------------------------------------------------

    Package        : pdftohtml
    Vulnerability  : buffer overflows
    Problem type   : remote
    Debian-specific: no
    CVE IDs        : CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624
                     CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628

    "infamous41md" and Chris Evans discovered several heap based buffer
    overflows in xpdf which are also present in pdftohtml, a utility that
    translates PDF documents into HTML format, and which can lead to a
    denial of service by crashing the application or possibly to the
    execution of arbitrary code.

    The old stable distribution (woody) does not contain pdftohtml packages.

    For the stable distribution (sarge) these problems have been fixed in
    version 0.36-11sarge1.

    For the unstable distribution (sid) these problems will be fixed soon.

    We recommend that you upgrade your pdftohtml package.




-- 
Bill Moseley
moseley@hank.org

Unsubscribe from or help with the swish-e list: 
   http://swish-e.org/Discussion/

Help with Swish-e:
   http://swish-e.org/current/docs
   swish-e@sunsite.berkeley.edu
Received on Wed Feb 1 09:25:51 2006